Cybersecurity: Best Practices While Working Remotely Under COVID-19

April 21, 2020

It is not enough for organizations to make day-to-day decisions on how to respond to the COVID-19 pandemic—they must remain vigilant to protect and secure corporate data in an effort to mitigate cyber risk.  In these difficult times, cyber predators are looking to exploit overlooked security measures within businesses under intense pressure to operate during the pandemic.

Many Information Technology (IT) departments are racing to keep up with the demand for technology to support the alternate working solutions that many organizations have deployed. The rigid testing guidelines typically followed before the deployment of such technology may have been compressed in order to support the sudden rush of remote users.  Most of us are now working in a “Distributed Organization” (remote working) environment.  As such, organizations need to be proactive in identifying the new threat and risk scenarios they are now faced with and continue to promote organizational cyber awareness programs.  When an organization is managing sensitive data, especially data dealing with personal and private information, there is little room for errors or vulnerabilities in the cybersecurity systems. It becomes a balancing act of speed over control.

Right now, organizations need to enhance and communicate their IT security policies, especially regarding security standards for the remote workforce. The same level of security controls that exist in an office setting need to be managed across a distributed team. This is not so difficult to manage if employees are working on company-issued equipment, but not every company issues a laptop computer to its employees, and some may work from a home device. Be aware that personal devices are significantly less secure than organizational ones, making them more vulnerable to a malware attack. Be sure to issue a policy on personal devices and guidance for the security standards of remote workers, if your organization has not already done so. 

Employees want to stay productive but should only do so safely. If a remote worker experiences internet trouble at home and their service provider advises lowering the security settings, your policies should require them to reach out to IT, which would determine the risk that change would present to your corporate data.

Some tips for your IT team to help address these risks include the following:

• Ensure that multi-factor authentication is in place for 100% of employees 100% of the time.
• Ensure that employees connect to corporate networks using a secure means (e.g., a virtual private network), and store data on available encrypted network drives to avoid loss in the event of a computer virus or other malfunction.
• Ask employees to be wary of suspicious emails, downloads, USB drives or other things that could introduce malicious software onto the network. These could include spoofing and phishing attacks from hackers pretending to be IT personnel asking for login credentials.
• Promptly install patches and updates, including to anti-virus software, to all devices on your home network.
• Check individual Wi-Fi router management software to ensure it's running the latest firmware, which can update security flaws. 
• Establish a strong password on home Wi-Fi networks, unrelated to your work computer password.

In the past, business continuity and cybersecurity risks were addressed and managed as separate disciplines.  In today’s business landscape of alternate and remote work, IT risks need to be managed holistically so that threats and the ability to react and respond are integrated.  Lessons learned in the initial days and weeks of the COVID-19-related crisis are validating that organizations need to be actively managing their cyber risks and continuously communicating to system users their role in maintaining a secure digital environment.